[HECnet] Security hole in CSWS

Sampsa Laine sampsa at mac.com
Tue Sep 22 21:04:30 PDT 2009 

That is EXACTLY the kind of glaring inaccuracies I was looking for..

Cheers.

Sampsa

On 22 Sep 2009, at 21:03, Steve Davidson wrote:

Sampsa,

TOPS-20 never ran on a PDP-11.   TOPS-20 ran on the 36-bit DECsystem-20.

-Steve

-----Original Message-----
From: owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] On
Behalf Of Sampsa Laine
Sent: Tuesday, September 22, 2009 15:56
To: hecnet at Update.UU.SE
Subject: Re: [HECnet] Security hole in CSWS

Guys, I've written a quick blurb about the flaw I found etc that I'm
posting on my blog once the Apace guys say they're releasing it.

Comments? Glaring factual inaccuracies? The intended audience is a
fairly technical bunch, prob mostly infosec consultants and pentesters.

http://rhesus.sampsa.com/csws-flaw/


On 22 Sep 2009, at 20:34, Sampsa Laine wrote:

It appears that
	
	RewriteRule (;[0-9]*\?)|(;[0-9]*$) [R]

works as well.

The VMS Apache guys know about this and are working on it as we
speak, but I would suggest letting any clients etc know about this
before the formal advisory goes out as I should think this will hit
the automated testing tools such as Nessus pretty soon after that.

Sampsa

On 22 Sep 2009, at 20:27, Pontus wrote:

Hi

I'm not going to pretend I know mod_rewrite, but I spent some time
with
the docs and thought you could use the grouping info to replace with
what you matched:

(.*)(;[0-9]*\?) $1
(.*)(;[0-9]*$) $1

(I wrote two rules as I'm uncertain how the | binds)

Alternatively this passage from the docs might provide an alternative
solution:

<snip>

Additionally you can set special flags for Substitution by appending

[flags]

as the third argument to the RewriteRule directive. Flags is a
comma-separated list of the following flags:

<...>

- *||*'forbidden|F' (force URL to be forbidden)
This forces the current URL to be forbidden, i.e., it immediately
sends
back a HTTP response of 403 (FORBIDDEN). Use this flag in conjunction
with appropriate RewriteConds to conditionally block some URLs.

</snip>

Then you could at least avoid people reading the source.

/Pontus.

Sampsa Laine wrote:
Dennis,

I've got the rule down to:

RewriteRule (;[0-9]*\?)|(;[0-9]*$) /

but this is not ideal, as I don't really want to replace the ;
with a
/, just drop it but can't figure out the syntax for "replace with
nothing".

Any ideas?

Sampsa

On 21 Sep 2009, at 22:12, Dennis Boone wrote:

Yes, I have reported it to VMS engineering in India about an
hour ago
(well I assume in India, the guys had subcontinent accents) and
they
said they'd get back to me.

In the meantime, if CSWS has mod_rewrite, you might be able to
produce a
temporary fix in the form of a rewrite rule that rips the ;* off
the
end[1]
of .php urls.

[1] Well, ok, might be the middle too, if it's a GET with
parameters,
but that's just a slightly more involved pattern.

De

More information about the Hecnet-list mailing list